Hardware-based device authentication

ABSTRACT

An opportunity for a computing device to participate in a secure session with a particular domain is identified. A domain identifier of the particular domain is received and a secured microcontroller of the computing device is used to identify a secured, persistent hardware identifier of the computing device stored in secured memory of the computing device. A secure identifier is derived for a pairing of the computing device and the particular domain based on the hardware identifier and domain identifier of the particular domain and the secure identifier is transmitted over a secured channel to the particular domain. The particular domain can verify identity of the computing device from the secure identifier and apply security policies to transactions involving the computing device and the particular domain based at least in part on the secure identifier.

This application is a continuation of U.S. patent application Ser. No. 14/500,130, filed Sep. 29, 2014, which is a continuation of U.S. patent application Ser. No. 13/726,140, filed Dec. 23, 2012, now U.S. Pat. No. 8,850,543, issued Sep. 30, 2014, the content of which is hereby incorporated by reference.

TECHNICAL FIELD

This disclosure relates in general to the field of computer management and, more particularly, to hardware-based computer security management.

BACKGROUND

Computer systems management within modern enterprises and networks can include the use of tools and techniques for discovering attributes of the respective sub-systems in the network. Security tasks and management can be performed, for example, by assigning and enforcing security policies against devices in the network. Policies can be assigned to particular devices based on known attributes of the devices, for instance. Further, gaining access to and/or communicating with various devices in a network can include software-based tools configured to enable communication of various data between different operating systems and devices. Further, software-based agents can be installed on various devices within a system to provide administrators with the ability to inspect, control, and perform tasks on the devices, including security-related tasks. Traditionally, software-based agents are installed through the operating system of the host device, and the operating system is booted when the agent is active and able to communicate with management services utilizing and performing tasks through the agent. In such instances, management of the host device can be considered dependent on the presence (and operability) of the host device's operating system and/or the presence and operability (and security) of the installed agent.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a simplified schematic diagram of an example computing system including system devices having hardware-based management controllers in accordance with at least one embodiment;

FIG. 2 is a simplified block diagram of an example computing system including an example domain manager adapted to interact with hardware-based management controllers on one or more system devices within the system in accordance with at least one embodiment;

FIG. 3 is a simplified block diagram illustrating interactions between an example system device and a plurality of different domains in accordance with at least one embodiment;

FIGS. 4A-4B are simplified flow diagrams illustrating example interactions between an example domain manager and an example system device having a hardware-based management controller in accordance with at least one embodiment;

FIG. 4C is a simplified block diagram illustrating maintenance of a hardware-based identifier in accordance with at least on embodiment;

FIG. 5A is a simplified flow diagram illustrating negotiation of an example secure channel between an example system device and an example domain manager in accordance with at least one embodiment;

FIG. 5B is a simplified flow diagram illustrating interactions between an example system device having a hardware-based management controller and a plurality of example domain managers in accordance with at least one embodiment;

FIG. 6A is a simplified flow diagram illustrating interactions between an example domain manager and an example system device having a hardware-based management controller in accordance with at least one embodiment;

FIG. 6B is a simplified block diagram illustrating an example secure container in accordance with at least one embodiment;

FIGS. 7A-7B are simplified flowcharts illustrating example techniques for managing one or more system devices having hardware-based management controllers in accordance with at least some embodiments.

Like reference numbers and designations in the various drawings indicate like elements.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

FIG. 1 is a simplified block diagram illustrating an example computing environment 100 including a plurality of system devices (e.g., 102, 105, 106, 118, 120, 122, 128, 130, 132, 135) capable of interacting with various computing system, networks, or environments (or “domains”) (e.g., 108, 110, 112, 115). Some system devices can include a secured hardware-based management controller (e.g., 125 a-125 i) permitting secure generation and communication of secure identifiers for the system device that can be used in hardware-to-hardware communications and transactions (e.g., circumventing operating system control of the system device) between the secured hardware-based management controller (e.g., 125 a-125 i) and backend services, such as services of domains 108, 110, 112, 115, over one or more networks, including wide-area networks (WANs) such as the Internet (e.g., 116). In some implementations, hardware-to-hardware communication can take place out-of-band via channels independent or outside the control of the system device's (e.g., 102, 105, 106, 118, 120, 122, 128, 130, 132, 135) operating system.

Domains (e.g., 108, 110, 112, 115) can include computing networks, systems, and environments such as a private home network (e.g., 108), ecommerce system, search engine system, social media system, a network of a commercial or retail establishment (e.g., Internet access points, WiFi hotspots, etc.), and enterprise networks (e.g., 115), among other examples. Some system devices (e.g., 102, 105, 106) can migrate between and operate within multiple different domains (e.g., 108, 110, 112, 115), including, in some instances, multiple environments simultaneously. Multiple secure identifiers can be generated for a single system device, each secure identifier unique to the pairing of the system device with a particular domain. Additionally, backend servers of the domains (e.g., 108, 110, 112, 115) can be provided with functionality for negotiating the communication of the secure identifier as well as mutually authenticating the domain to the system device to ensure that only trusted entities are able to communicate directly with sensitive hardware-based controls (e.g., management controllers) of the system device, among other examples. In some implementations, each domain (e.g., 108, 110, 112, 115) can include a respective management system including functionality for identifying a hardware-based management controller (e.g., 125 a-125 i), and interfacing and communicating with the management controller of system devices (e.g., 102, 105, 106, 118, 120, 122, 128, 130, 132, 135) to obtain device information from the device and perform security and other device management tasks based on the received device information.

In some implementations, a management controller (e.g., 125 a-125 i) can be present on the motherboard or chipset of the system device (e.g., 102, 105, 106, 118, 120, 122, 128, 130, 132, 135) and be embodied on a microcontroller or dedicated processor independent of the central processing unit (CPU) (and any operating system) of the system device. A management server can thereby communicate, in-band or out-of-band, with the system device through its respective management controller. In some instances, a management server can provide an application programming interface (API) adapted to allow the management controller of the system device to interface with and receive and respond to instructions and requests of the management server. Such management services and tasks can include the negotiating of communication protocols and establishing of inter-device associations between system devices on a particular network or domain. Management servers can additionally, or alternatively, include system-security-related APIs, with the management server 170, 175 performing security-related tasks for a network 110, 115 through the management controller 108 of the system device.

In some implementations, hardware-based APIs can be established based on the provision of a secure identifier for a corresponding system device. For instance, a secure identifier can serve as the basis of uniquely identifying and authenticating a particular system device (e.g., 102, 105, 118, 122, 120) in a home network domain 108. Secure hardware-to-hardware communications can then be enabled between system devices (e.g., 102, 105, 118, 122, 120) on the home network domain 108 allowing a variety of different interactions between the devices. For instance, interactions, features, interoperations, and tasks can be enabled through such hardware-based management controllers and management systems according to the principles and examples described in U.S. patent application Ser. No. 13/718,043, entitled “Hardware Management Interface,” and U.S. patent application Ser. No. 13/718,200, entitled “Hardware Management Interface,” each incorporated by reference herein in their entirety. In another example, an enterprise system domain 115 can include a variety of system devices (e.g., 102, 106, 128, 130, 132, 135). The enterprise system domain 115 can utilize unique secure identifiers generated for each of the system devices to authenticate and uniquely identify the devices and apply security policies tailored to each of the devices. Domains can utilize secure identifiers and hardware-based APIs (e.g., authenticated-to through the secure identifiers) to enable to provide services based on a secured authentication of the device.

In general, “servers,” “clients,” “computing devices,” “network elements,” “hosts,” “system-type system entities,” and “systems,” including system devices in example computing environment 100 (e.g., 102, 105, 106, 118, 120, 122, 128, 130, 132, 135, etc.), can include electronic computing devices operable to receive, transmit, process, store, or manage data and information associated with the computing environment 100. As used in this document, the term “computer,” “processor,” “processor device,” or “processing device” is intended to encompass any suitable processing device. For example, elements shown as single devices within the computing environment 100 may be implemented using a plurality of computing devices and processors, such as server pools including multiple server computers. Further, any, all, or some of the computing devices may be adapted to execute any operating system, including Linux, UNIX, Microsoft Windows, Apple OS, Apple iOS, Google Android, Windows Server, etc., as well as virtual machines adapted to virtualize execution of a particular operating system, including customized and proprietary operating systems.

User, endpoint, or client computing devices can include traditional and mobile computing devices, including personal computers, laptop computers, tablet computers, smartphones, personal digital assistants, feature phones, handheld video game consoles, desktop computers, internet-enabled televisions, and other devices designed to interface with human users and capable of communicating with other devices over one or more networks (e.g., 108, 110, 112, 115, 116). Computer-assisted, or “smart,” appliances can include household and industrial devices and machines that include computer processors and are controlled, monitored, assisted, supplemented, or otherwise enhance the functionality of the devices by the computer processor, other hardware, and/or one or more software programs executed by the computer processor. Computer-assisted appliances can include a wide-variety of computer-assisted machines and products including refrigerators, washing machines, automobiles, HVAC systems, industrial machinery, ovens, security systems, and so on.

While FIG. 1 is described as containing or being associated with a plurality of elements, not all elements illustrated within computing environment 100 of FIG. 1 may be utilized in each alternative implementation of the present disclosure. Additionally, one or more of the elements described in connection with the examples of FIG. 1 may be located external to computing environment 100, while in other instances, certain elements may be included within or as a portion of one or more of the other described elements, as well as other elements not described in the illustrated implementation. Further, certain elements illustrated in FIG. 1 may be combined with other components, as well as used for alternative or additional purposes in addition to those purposes described herein.

Detecting, identifying, tracking, and managing assets in computing systems has traditionally been a significant challenge facing system administrators. A single unknown, poorly understood, or poorly monitored device connected to a network can potentially expose the entire system to a variety security threats and vulnerabilities, including malware, unauthorized data access, rogue users, etc. In some instances, agents (e.g., 140 a, 140 b) can be installed on system devices (e.g., 130, 132) to assist administrators in obtaining a view of the attributes of the system device, easily detect and communicate with the device on the network, and enforce particular security policies on the system device. Unmanaged devices (i.e., devices that do not possess an installed agent), however, may remain outside the communication, control, and monitoring of management systems designed to enable inter-device communication and operation, detect devices as they enter and leave the network, apply policies to various devices, and enforce security on the network can be hindered by not being able to effectively communicate with such unmanaged devices. Further, installing agents on some devices can be difficult, with the provisioning of agents jeopardized by the very dearth of information concerning the unmanaged device. Additionally, unmanaged devices, in some instances, rather than being able to integrate into a network and be a benefit to the user or the network at large, may be sent to a quarantined or managed sub-network until the unmanaged device can be more carefully inspected by administrators, have an agent installed on it, etc. Additionally, as more and more devices become “smart,” in that they are increasingly controlled by computing processors, include network communication adapters, and are able to communicate with other systems, the universe of potentially unmanaged devices continues to increase.

In addition, security management can involve management of a wide variety of system devices including devices utilizing varying platforms and operating systems. At least some of the systems described in the present disclosure, such as the systems of FIGS. 1 and 2, can include functionality that, in some cases, can address the above-discussed issues, as well as others not explicitly described herein. For instance, to provide this level of functional support across the variety of system device platforms, functionality can be provided below the operating system in the hardware through an example management controller (e.g., 125 a-125 i). Such management controller functionality can be implemented, for instance, consistently across a variety of hardware platforms, such as in connection with a family of chipsets capable of being utilized in a wide variety of system devices. A secure and trusted API can be provided, based in hardware, with remote accessibility capabilities, enabling consistent and reliable access to security data and operations even in the absence of an agent or other such components.

While the characteristics and capabilities of hardware APIs between devices and domains can vary and evolve to accomplish a potentially limitless variety of tasks and provide a limitless array of potential features, identity of a system device, as rooted or based in hardware, can serve as the atomic unit upon which such services can be built. In some instances, in addition to providing functionality for generating secure identifiers for the system device, management controllers can further enable access by remote servers to other trusted identity information. For instance, turning to the example of FIG. 2, a simplified block diagram 200 is shown of a computing environment including an example system device 205 and a domain management system 210 of a particular domain 215. The particular domain 215 can be one of several domains (e.g., 220, 225) with which the system device 205 can interact. Each of the domains can implement domain management systems employing principles similar to those of the domain management system 210 of domain 215. Further, in some instances, the system device 205 can interact with domains directly, such as by connecting to a private network controlled by or associated with the domain (e.g., 225) or alternatively at least partially over public networks, such as the Internet 116.

In one example implementation, a system device 205 can include a chipset 230 that includes a processor 232, such as a central processing unit (CPU), and memory 234, such as memory including system memory utilized by the CPU and accessible to an operating system (e.g., 250) of the system device 205, among other examples. The chipset 230, in some examples, can additionally include a management microcontroller 235 that can provide secured processing functionality to perform management tasks outside of (or below) the control and instructions of the operating system. An example management microcontroller 235, in some implementations, can run a lightweight microkernel operating system that provides a low-power, out-of-band management controller. In some implementations, a secured memory 238 can be provided that is accessed and utilized by the management microcontroller 235 to perform device management activities including the generation of secured identifiers for the system device 205. Secured memory 238 can be separate from system memory and can be embodied, as one example, as a flash memory component of the chipset 230, among other examples. Secured memory 238 can include authentication data 240 used by the management microcontroller 235 to generate secure IDs for the system device 205 and can, in some instances, include secure IDs themselves. Secured memory 238, in some implementations, can additionally include security posture data 242 that describes attributes of the system device 205 that is securely contained and insulated from being altered, controlled, or manipulated by users of the device 205, the operating system 250, or other entities, including malware and hackers who might gain access to the device's system memory and/or operating system 250, among other examples. Additionally, secured memory 238 can additionally include, store, or point to instructions and software (e.g., 245) executed by the management microcontroller to provide the functionality of a management controller, including the generation and management of secure IDs and security posture data 242, among other examples.

In addition to secured processing and memory facilities, system device 205 can further include a communication manager 248 that can be used to enable secured communication channels between a management controller and domains and their respective domain management systems. In some implementations, communication manager 248 can be implemented in connection with management microcontroller 235 to permit the management microcontroller to access networks while the operating system of the system device 205 is inactive, absent, etc. Accordingly, management microcontroller 235 can have direct access to network interfaces of the system device. In some implementations, management microcontroller can run a fully independent, out-of-band communication channel (such as through a dedicated TCP/IP stack) allowing the microcontroller to inspect and receive packets not processed by the CPU, as well as inspect inbound and/or outbound traffic before the CPU has access to it. Effectively, two logical network connections can be maintained on a single physical networking connector of the device 205, one in-band through the CPU (e.g., 232) and the other out-of-band through the management microcontroller 235. Network filters in communication manager 248 can be utilized to programmatically redirect traffic to either a host operating system interface or the interface of the management controller at micromanagement controller 235, for instance, based on port numbers, among other implementations. An independent network communication channel can allow the management microcontroller 235 (and management controller implemented using the management microcontroller) to perform a variety of communications and remote management functions that can take place effectively potentially at all times without regard to the state of the operating system, for example.

Management microcontroller 235 can utilize independent and/or dedicated network communication channel(s) to communicate with outside systems, including management systems (e.g., 210) of domains (e.g., 215, 220, 225) over one or more networks (e.g., 116, network of domain 215, etc.). The management controller of the system device and domain management system (e.g., 210) can mutually authenticate in connection with their interaction, session, APIs, etc. In one example implementation, one or more certificates (e.g., 244) can be maintained corresponding to a certificate authority that issues the certificate to domains (for use through their respective domain management systems) evidencing that the domain is legitimate, trusted, and meets thresholds for qualifying as a domain authorized, under the certificate, to interface and communicate with hardware-based management controllers. Such certificates may be specific to a particular make, model, or implementation of a management controller in some implementations. Before communicating sensitive information to a domain management system, a management controller can verify that the corresponding domain management system possesses a copy of the certificate (e.g., 260) or is still an authorized holder of the certificate (e.g., based on a query to the certificate's authority). The management controller can in turn provide a secured identifier of the system device to authenticate the system device at the domain.

In some instances, certificates (e.g., 244) can be maintained on management controller-accessible memory (e.g., 238), together with security posture data 242, authentication data 240, and other information. Management controller-accessible memory (e.g., 238) can also be written-to by the management microcontroller. In some implementations, management controller-accessible memory (e.g., 238) can be non-volatile, protected memory, in that other hardware components of system device 205 and the operating system 250 of the system device 205 cannot access the memory 238, thereby ensuring the integrity and confidentiality of information stored in secured memory 238. Further, in addition to protected management controller-accessible memory (e.g., 238), management microcontroller 235 can, in some implementations, additionally access system memory (e.g., 234), allowing the management controller to access additional information concerning attributes of the system device 205 such as applications (e.g., 252) of the system device, security tools and countermeasures (e.g., 254) deployed on the device, activity and history of the system device, geolocation information for the device, user profiles of the system device, networks used or connected to by the device, etc. Such information can be used in the generation of security posture data 242 securely contained within the system device's 205 hardware in some implementations. Further, in some examples, a management controller can be further configured to manage the secure provisioning of agents, software updates, security tools, and other programs, features, and data onto the system device to enhance the functionality and security of the device, among other examples.

An example domain management system 210 can be embodied in computing devices, servers, and facilities of a domain to manage interaction with hardware-based management controllers of system devices connecting to and participating in the domain. For example, an example domain management system 210 can include one or more processors 256, one of more memory elements 258, among other tools and components such as a controller manager 255, asset manager 270, policy administrator 272, and agent manager 278, among other potential components. A controller manager 255 can provide functionality for identifying, authenticating, and managing sessions with one or more system devices (e.g., 205) attempting to make use of hardware-based management controllers in connection with the devices' interaction with the domain (e.g., 215). For instance, a controller manager 255 can manage mutual authentication of a domain (e.g., 215) and system device (e.g., 205), for instance, validating to the system device that it has been issued a certificate by a trusted authority and accepting and managing secured identifiers and other information from the system device. Further, the controller manager 255 can manage the system devices with which it has communicated, including those engaging the domain using a hardware-based management controller. For instance, controller manager 255 can maintain secured identifier data mapping secured IDs to individual system devices utilizing hardware-based management controllers.

Asset data 265 can also be maintained or made available to an example device management system 210, the asset data describing attributes of a plurality of assets included in or identified as accessing the domain, including system devices having hardware-based management controllers (e.g., 205). Asset data can be collected from a variety of sources, including installed agents on the individual assets, scans of the assets (e.g., by various security tools, local and/or network-based scanners, etc.), as well as from security posture data and other attribute data received via communications with assets utilizing hardware-based management controllers. Assets can include system devices, networks, applications, data structures, as well as human users making use of, included in, and/or administrating systems of the domain. Further, secure identifiers of client system devices can be maintained together with and/or mapped to profiles in asset data 265, among other examples.

In addition to a policy manager 270 providing functionality for dynamically assigning policies to particular system devices and enforcing these policies, in some implementations, a policy manager 270 can further include functionality for defining new policies, modifying existing policies, establishing rules and criteria for applying policies to particular system devices (e.g., based on detected attributes of the devices), and so on. A policy manager 270 can operate in cooperation with one or more security tools deployed within the network and locally on the system devices themselves. For instance, some security tools can be deployed remote from a system device allowing for policy enforcement to take place remote from the target system device, application, or person, thereby allowing security enforcement without the policy (or enforcement) being pushed to the target itself. This can be useful, for instance, in the security enforcement of mobile devices that move on and off of a monitored network, as well as unmanaged devices, such as devices not including agents or other local security tools capable of enforcing important security policies. Such security tools can include, for example, firewalls, web gateways, mail gateways, host intrusion protection (HIP) tools, network intrusion protection (NIP) tools, anti-malware tools, data loss prevention (DLP) tools, system vulnerability managers, system policy compliance managers, asset criticality tools, intrusion detection systems (IDS), intrusion protection systems (IPS), and/or a security information management (SIM) tool, among other examples. Nonetheless, security enforcement is also possible locally on a target system device, for instance, through security tools running, loaded, or otherwise interfacing directly with the system device. Security tools can further provide the management controller, in some instances, with an interface for enforcing policy directly at the target device. For instance, in some examples, agents deployed on system devices can serve as a security enforcement tool, for instance, blocking particular activities locally at the device according to one or more security policies applied to the particular system device, passing policy instructions to other security tools on the particular system device, among other examples.

Attribute information included in asset data 265 can be used to determine policies 275 to be applied to the individual asset. A policy manager 270 can be provided managing the development and enforcement of policies 275 within a domain (e.g., 215). In some instances, policies can be tailored to the individual asset based on the asset data. In other instances, pre-developed policies can be matched to assets based on the asset data. Policies 275 can include security and compliance policies, among other policies used to manage and govern a domain. For instance, access to data, applications, services, and other resources of the domain, security tasks, audits, scans, countermeasure deployment, updates, and other actions can be performed based on adherences to policies 275, among other examples. Further, for system device assets utilizing hardware-based management controllers, policy enforcement can attempt to leverage the management controllers to perform such tasks. As one example, information can be obtained from a system device allowing the domain management system 210 to identify drivers for the system device that can be downloaded or otherwise identified and accessed to permit the domain management system 210 to better communicate with and coordinate communication with the system device as well as communication between the system device and other computing devices within the domain.

In another example, a domain management system can include an agent manager 278 adapted to assist in the loading of agents on to various assets within the domain. In some implementations, an agent manager 278 can be used to load an agent onto a system device through a hardware-based management controller. The agent can then be used to assist in managing and identifying the system device. In some implementations, an agent manager 278 can assist in loading persistent agents on the system device, while in other examples, temporary, dissolvable agents can be loaded, for instance, corresponding with a given session between the system device (e.g., 205) and the domain 215.

The loading of agents, is but one of a potentially unlimited number of tasks and services that can be performed securely and effectively through a hardware-based management controller interfacing with a trusted domain management system to improve security, operability, and the feature sets of both the domain and the system device. Indeed, managed system devices (e.g., devices already having an agent), can themselves be improved through the provision of a hardware-based management controller. For instance, when an endpoint is altered due to re-imaging, operating system reinstallation, hardware updates (new disk, or new network cards), or simply uninstalling the agent, among other examples, the ability to identify the system and install a new, corresponding replacement agent can be based on re-identification of the system device based on its secured ID. This can also benefit provisioning of appliances either within a third-party domain (e.g., a customer environment) or in the cloud as the identity of a system device can be reliably and consistently verified. In addition, insuring that the device is in a known state during the boot phase can provide an additional data point that represents the trust level of the device prior to performing any sensitive tasks involving the device. Among other additional examples, “lying endpoint” attacks can threaten to compromise the integrity of an endpoint system device by calling into question the validity of the agent data being reported. Through a hardware-based secure ID generated through the hardware-based management controller, this entire category of problems can be negated due to the ability to reliably validate the identity of the system device.

Further, the security state of a system device can be extrapolated based on trustworthy security posture data (e.g., 242) to help refine the assessment of the risk that a particular asset poses to the environment before granting it access to the network. As another example, network monitors (such as firewalls, intrusion detection systems, intrusion prevention systems, and other security tools) can be improved by leveraging trustworthy secure ID data, rooted in hardware, in lieu of (or as a supplement to) other less-persistent or spoofable identifiers such as an IP address, MAC address, or the like. Through the secure networking capabilities of some implementations of management controllers, out-of-band network access to the security posture data and other resources of the secure memory (e.g., 238) can be enabled allowing for still additional features and services, including the performance of support and diagnostic tasks while the main processor, system memory, operating system, etc. are unavailable or not operable, among other examples and advantages.

Further, attribute information described in security posture data stored at the system device can be communicated to an authenticated domain management system using a management controller. Such information can include information identifying the type of system device and computing equipment on the system device, allowing the management system to either identify and/or retrieve device drivers corresponding to the system device. The attribute information, in one example, can include the identification of the make, model, and manufacturer of the system device's computing equipment and/or the system device itself. The attribute information can also include identification of firmware, operating systems, and other software used by the system device's computing equipment, including version information. Using the attribute information, management system (e.g., using controller manager) can identify sources (including remote sources) serving device drivers, updates, and other information for the system device and/or its computing equipment. Such information can then be used to perform various security-related tasks and improve transactions with the system device.

Turning to the example of FIG. 3, a simplified block diagram is shown illustrating that a single system device 205 can maintain and provide multiple unique secure IDs (e.g., 305, 310), each secure ID corresponding to and unique to a particular pairing of the system device 205 with a different, respective domain (e.g., 210, 220). The system device 205, through hardware-based management controller 302, can generate or identify the secure ID corresponding to a particular domain and communicate the secure ID (e.g., 305, 310), outside the access and control of the device's 205 operating system, to the domain, such as to a domain management system of the domain, among other examples. The domain can then authenticate and identify the device from the secure ID.

Turning to the examples of FIGS. 4A-4C, example flow diagrams 400 a-c are illustrated showing example techniques in the generation and use of secure IDs for an example system device. In FIG. 4A, particular software 410 of a system device, such as an application within the operating system of the system device, can request a transaction 412 with a domain (e.g., at domain interface 415). The domain can utilize a domain manager (referred to elsewhere herein as a “domain management system”) 420 to request 414 whether the system is capable of providing a trusted, hardware-based secure ID, for instance, through a secure, hardware-based management controller (e.g., 405) of the system device. The request 414 can also direct the system device to provide the secure ID to authenticate the system device at the domain. In the particular example of FIG. 4A, the system device returns a response 416 to the domain denying the request 414.

A denial (e.g., 416) can result from a variety of factors. In some instances, the domain may not have a valid certificate recognized by the system device (e.g., using management controller 405) as indicating that the domain is a trustworthy partner for communicating with the management controller 405, provisioning and/or sharing of a secure ID of the system device, sharing of security posture data with the domain, etc. In another example, the system device may not be equipped with a management controller compatible with the domain and its request 414. In still other examples, a secure session involving the management controller of the system device and the domain can be user-directed. For instance, in response to receiving the request 414, a user interface can be presented to the user on the system device requesting approval to engage the management controller 405 to set up a secure hardware-to-hardware communication between the system device and domain. In such instances, a user can freely elect to deny the domain the privilege of interfacing with the management controller of the system device, among other examples. In such instances, the system device can attempt to engage in a traditional session with the domain (e.g., transactions 422), without the assistance or features of a management controller 405 and a secure session established using management controller 405 and domain manager 420.

In the example of FIG. 4A, in response to the denial to establish a secure session with the domain manager 420, the domain manager 420 can cause a set of policies to be applied 418 to the system device. The set of policies can be default policies for any such system device, or similar model of system device, that does not (or cannot) provide the enhanced identification services of a secure ID and secured communication channel using a compatible management controller. Such policies can include security policies, ecommerce policies, etc. that result in a user of the system device enjoying a reduced level of access to the domain, its services, data, promotions, etc. In some instances, the requested transaction (e.g., at 412) of the system device can be conditioned on the exchange of a valid secure ID, the denial 416 resulting in denial of the requested transaction by the domain. In other examples, such as the example illustrated in FIG. 4A, the requested transaction can still be carried out (e.g., 422) despite the denial and the stricter policies 418 (such as more restrictive security policies) being applied to the system device during the transaction 422.

Turning to the example of FIG. 4B, another transaction request 432 can be forwarded from software 410 of a system device to a domain 415 resulting again in a request 432 for a secure ID from the system device. For instance, a corresponding domain manager 420 (e.g., of Domain A) can be utilized to attempt to establish a secure session making use of the functionality of a management controller 405 of the system device. For instance, the domain manger 420 can request 435 a secure ID from the system device to authenticate (and potentially re-identify) the system device. Again, in some examples, a user can be presented with and given the option of permitting a secure session to be established with the domain, as well as setting rules and/or preferences for the session. For instance, a user can set rules, preferences, or parameters for establishing what security posture data and types of data can be shared with the requesting domain (e.g., in some cases varying the amount of data that is shared based on the particular identity of the domain), establishing whether the management controller 505 can automatically attempt to join a secure session with a domain (or subset of user-identified domains) (e.g., by skipping a user authorization step), among other examples.

Further, a secure communication channel can be negotiated and established 438 between the management controller 405 and the domain manager 420 to facilitate private communications between the management controller and domain manager (that can be outside of the control and interpretation of the system device's operating system). Further, the management controller 405 can be provided 440 with a domain certificate of Domain A to authenticate the domain manager 420 as a trustworthy partner for the secure session (e.g., as in previous examples). In some instances, the domain certificate can be passed 440 to the management controller 405 in connection with the negotiation and construction (e.g., 438) of a secure communication channel. In the example of FIG. 4B, the management controller 405 can identify information in the domain certificate that identifies the domain. In some instances, the domain certificate can include data that uniquely identifies the domain. The management controller 405 can use the management controller's secure (and secret) hardware identifier 425, together with the domain identifier to generate a secure ID unique to the pairing of the management controller 405 (and corresponding system device) and the domain manager (and corresponding domain). In some instances, the secure ID can be derived through a hash of the secure hardware identifier 425 and the domain identifier, among other examples.

Upon deriving the secure ID from the hardware ID 425, the management controller 405, as in other examples, can then return the secure ID 445 to the domain manager to identify and authenticate the management controller (and system device) at the domain. The domain manager 420 can then determine whether the secure ID has been previously received at the domain or is a new secure ID within the domain. In instances where the secure ID matches a previously-received secure ID, the domain manager 420 can identify a pre-generated profile and profile data corresponding to the secure ID, and re-associate the system device with the profile based on the secure ID. In instances where the secure ID is determined to be a new secure ID for Domain A, the domain manager 420 can generate a profile record corresponding to the new secure ID. A profile record can be used to collect and store security data describing security-related attributes of the device (and/or user) associated with the management controller 405 and secure ID. Other attributes can also be recorded in a profile record and associated with the secure ID including, for example, session information, user profile information, browsing history, account information, etc. corresponding to and collected during the system device's interactions and transactions in the domain (e.g., using the management controller 405). In this manner, the domain manager can reliably identify the use of a particular system device within the domain based on the secure and trustworthy secure ID. The domain manager 420 may then, as in other examples, determine security policies (and other policies) tailored to the attributes of the system device and apply 448 these policies to the system device in transactions 450 within a secure session between the management controller and domain manager 420.

Turning to FIG. 4C, a simplified block diagram 400 c is shown illustrating components and interactions involving an example management controller 405. In this particular example implementation, management controller 405 can include a management microcontroller with secure management microcontroller read-only memory 472 that is accessible to the management microcontroller but isolated from other elements of the system device, such as the CPU, operating system, etc. The management microcontroller memory 472 can include a fuse key 475 or another permanent identifier embedded in hardware of the system device. Such permanent hardware IDs can be set during fabrication of the system device chipset and be unique and private to the system device. In some instances, in order to assist in preserving the privacy of users of the system device, a separate, private hardware ID 476 can be derived from the fuse key value 475. In some instances, the hardware ID 476 is a permanent identifier stored in flash memory of the management controller 405 (e.g., as it is based on a permanent fuse key value) and can be derived so that it is also globally unique. In still other examples, multiple hardware IDs 476 can be generated for a single device. For instance, in interactions with domains and service providers that provide multiple different services (e.g., email, ID management, content providers, online retail, social networking, etc.), multiple different hardware IDs can be used to generate multiple secure IDs for a single device-domain pairing, with each secure ID paired to a particular service or context of the device-domain pairing. This can assist in preventing user or device data from being cross-associated across the multiple services of a domain, among other examples.

In some instances, the hardware ID 476 derived from the hardware fuse key 475 can be used in the generation of secure IDs used in establishing secure sessions with a domain. In other implementations, a further hardware-based identifier, or root ID 478, can be derived from the hardware ID 476. For example, the root ID 478 can be a persistent identifier stored in flash memory (e.g., 474) of the management microcontroller. In some implementations, the root ID 478 may be reset and replaced as desired by a user to generate new root IDs 478 derived from the same hardware ID. For example, while the root ID 478 can be protected from manipulation or tampering by a user, operating system and corresponding applications, third-parties, etc., a user, to protect privacy, can nonetheless be permitted the option of deleting a root ID and prompting generation of a new, different root ID using the management controller. It should be appreciated that secure IDs derived from the new root ID will be different from the secure IDs derived from the previous root ID in some implementations. Consequently, users can manually disassociate their system devices from previous profiles maintained by various domains and associated with a previous secure ID value derived from a previous root ID by resetting the root ID and thereby replacing the previous root ID value with a new root ID from which new secure IDs are derived.

As shown in the example of FIG. 4C, a certificate 484 can also be maintained on flash memory of the management microcontroller. The certificate 484 can be a copy of a root certificate 482 of a trusted certificate authority authorizing and authenticating domain managers as trusted partners in communications with hardware-based management controllers (e.g., 405). The copy of certificate 484 can be used in connection with authentication of a domain manager, for instance, in response to domain certificates (e.g., 480) received or associated with a particular domain in connection with mutual authentication of the management controller and domain manager, establishing a secure connection between the management controller and domain manager (e.g., using a secure exchange protocol), etc. The management controller, for instance, can utilize the certificate 484 to verify domain certificates (e.g., 480) received from a domain manager. An example domain certificate 480 can include a serial number 485, domain unique identifier 486, certificate type field, public key 490 of the certificate, signature of the certificate authority 492, among potentially additional data that can be used in connection with identification and authentication of a corresponding domain manager.

As further shown in the example of FIG. 4C, in some implementations, a management microcontroller (of a management controller) can receive the domain certificate and process the domain certificate 480 to identify a domain identifier 486 value of the domain. The same domain identifier 486 can be included in every domain certificate received from the domain (or other message used by the domain to communicate the domain identifier). The management microcontroller can then derive a unique secure ID 495 specific to the pairing of the system device and the domain from the domain identifier and root ID. For instance, the secure ID 495 can be derived by combining the domain identifier and root ID, for instance, through a hash of the domain identifier and root ID values. In this particular example, rather than storing a set of various domain-specific authentication data (such as seeds) in secure flash memory 474 of the management microcontroller, a single root ID (or, in some alternative implementations, the hardware ID 476) can be stored in flash memory 474, allowing the same domain-specific secure ID to be derived and re-derived each time the system device attempts to establish (and re-establish) a secure session with a given domain, the management microcontroller accessing and utilizing the same combination of persistent root ID 478 and domain ID 486 inputs.

Returning to the example of FIG. 4B, as noted above, a hardware-based ID 425 (such as hardware ID 476 or root ID 478, as examples), can be used to derive multiple secure IDs, each secure ID corresponding to a respective domain. For instance, the system device can interact (e.g., at 452) with a second domain, Domain B (e.g., via domain interface 428). A domain manager 430 of Domain B can request 455 a secure session and secure ID of the system device, allowing a user to specify whether such a session with Domain B is desired. A secure exchange protocol and connection can be negotiated 458 as in previous examples, together with the authentication of the second domain manager 430 based on, for instance, a domain certificate of Domain B. In some implementations, the domain certificate of each domain (e.g., Domains A and B) can be provided through a common certificate authority, such as a certificate authority responsible for identifying partner domains meeting thresholds for compatibility and trustworthiness with a particular make, model, and/or manufacturer of a chipset including the management controller, etc.

Continuing with the example of FIG. 4B, as with the session with Domain A, the management controller 405 can utilize information from the domain certificate (such as a unique domain identifier (e.g., 486)) together with the hardware ID 425 to derive a secure ID corresponding to the system device's pairing with Domain B. The secure ID can then be communicated 465, over the secure communication channel, to the domain manager 430. The domain manager 430 can map the received secure ID to a profile maintained by the domain manager and identify policies tailored to the system device (or to system devices generally that utilize a management controller to establish a secure session with the domain) that can be applied 468 to the system device during the session including transactions 470.

In some implementations, a system device, through management controller 405, can concurrently participate in multiple secure sessions with multiple different domains (e.g., Domains A and B). In some implementations, a management controller can further maintain session data identifying a session, secure communication parameters of the session (e.g., the exchange protocol used, keys and encryption schemes used, etc.), the domain involved in the session (together with the authentication status, domain identifier, etc.), among other data for tracking the domain, session, and corresponding secure ID to be used during the session.

It should be appreciated that in some implementations, a management controller can be configured to derive secure IDs according to multiple different protocols and schemes. For instance, in some implementations, a management controller can be configured to both derive secure IDs from hardware-based hardware ID data, as described in the examples of FIGS. 4A-4C, as well as according to other protocols, such as according to the principles and examples described in U.S. patent application Ser. No. 13/726,148, entitled “Hardware-Based Device Authentication,” filed on Dec. 23, 2012. For instance, both a root ID (e.g., 478) for use in hardware-ID-based secure IDs and seeds provided by a domain (e.g., 443) can be stored and maintained by a management microcontroller in secure flash memory (e.g., 474). Indeed, in some implementations, a root ID (or other hardware ID) can be used together with seed data to derive one-time-passwords or other secure IDs for use with some domains, among other examples. For instance, seed data can be used as a domain identifier and hashed or otherwise combined with a hardware ID to generate a secure ID. In some instances, a management controller can identify, for instance, from the identity of the requesting domain or the domain's request for a secure ID which secure ID format to apply to the requesting domain, among other examples.

As noted in the above examples, secure communication channels can be negotiated and established between a management controller of a system device and domain manager of a domain. In some instances, the negotiation of the exchange protocol used to establish the secure communication channel can include the passing of certificates and other data identifying the domain for use by the system device in authenticating the domain manager for interactions with the system device's hardware-based management controller. In some example implementations, key-based encryption can be utilized to secure communications between a domain manager and management controller. Further, in some implementations, a secure key exchange protocol can additionally be used to securely exchange the keys used in the encrypted channel. The channel can be secured to hide the content of secure IDs, seeds, authentication data, security posture data, and other information transmitted from (or to) the management controller from other components, processors, applications, operating systems, etc. of the system device. In this manner, data communicated by the management controller to the domain can be protected from manipulation or influence by users, applications, or other entities attempting to compromise, advertently or otherwise, the legitimacy of data maintained by the management controller.

In some implementations a key-exchange protocol can be utilized that permits mutual authentication and secure key exchange in connection with the establishment of a secure communication channel between a management controller and domain manager. In some implementations, a protocol can be used that is both secure (e.g., from man-in-the-middle, unknown key share, identity misbinding, and other attacks) and maintains privacy of the identity of at least one of the parties (e.g., the management controller in this example). In one example implementation, an encrypted communication channel can be established between a management controller and domain manager utilizing a SIGMA key exchange protocol or other protocol that establishes secret shared keys through a sign and mac mechanism as well as principles of Diffie-Hellman exchanges. For instance, turning to the example of FIG. 5A, a simplified flow diagram 500 a is shown illustrating an example SIGMA exchange between a management controller 505 and domain manager 515, permitting the negotiation of secure IDs outside the influence of the software 510 of the system device. In the example of FIG. 5A, system device software 510 provides 525 a public value S1. The value S1 can include, in some instances, a public base g^(x) of the management controller 505. In response, the domain manager 515 can send 530 S2, confirming the request for the secure ID and including: g^(y), B, SIG_(B)(g^(x),g^(y)), MAC_(Km)(B), where g^(y) is the public base of the domain manager, B is the public key of the domain manager, SIG_(B)(g^(x),g^(y)) is the signature of g^(x) and g^(x), and MAC_(Km)(B) is the mac of B. In response, the management controller 505 can send S3 including A, SIG_(A)(g^(y),g^(x)), MAC_(Km)(A), as well as, in some instances, the secure ID encrypted using the key B of the domain manager.

In some implementations, communications between a management controller (e.g., 505) and domain manager (e.g., 515) can be leveraged to derive a secure ID corresponding to the system device's pairing with the corresponding domain. As in the examples above, the secure ID can be utilized to provide hardware-based authentication of the management controller's device within the domain, among other examples. For instance, in the example of FIG. 5B, a simplified flow diagram 500 b is shown including an example management controller 505 and device software 510 of an example device together with respective domain interfaces (520, 528) and domain mangers of (515, 530) of domains adapted to accept hardware-based device authentication through management controller 505. For examples, a transaction request 532 can be transmitted from the device to the domain causing a SIGMA handshake to be initiated (e.g., at 535). In response, domain manager 540 can communicate 540 the S2 value in the handshake to the management controller 505. Additionally, a domain “basename” value, or domain identifier, can be included in or appended to the transmission 540 of S2 that uniquely identifies the domain. The management controller can receive the S2 value and identify the domain identifier and attempt to verify the authenticity of the domain at least in part based on the domain identifier. Further, the management controller 505, as in the examples of FIGS. 4A-4C, can use a persistent hardware ID and derive 542 a secure ID for the device using the domain identifier and hardware ID 525. The derived secure ID can be unique to the pairing of the device and the domain. In some instances, a key derivation function can be used to derive the secure ID.

After deriving the secure ID, the management controller 505 can respond to the SIGMA S2 communication 540 by communicating S3 545. In this example, the management controller 505 can cause the secure ID to be included in the communication 545. Domain manager 520 can receive the communication 545 to both complete the SIGMA negotiation as well as obtain the secure ID value derived by the management controller 505. Other information can also be conveyed by the management controller for use in verifying the identity of the device, such as the make, model, version, etc. of the device, among other examples. Further, security policies can be applied 548 to the device by the domain based on the hardware-based authentication of the device and one or more transactions 550 can be completed between the device and domain. Additionally, session keys derived from the domain-specific basename (e.g., at 540) can be used to bind the pairing of the client device and domain to the transactions 550, providing another layer of security allowing the client device and domain to verify the identity of the other party throughout the transactions, among other examples and benefits.

As in the examples of FIGS. 4B-4C, after initially deriving and sharing the hardware ID-derived secure ID with the domain manager, subsequent transactions can cause the secure ID to be re-derived to re-authenticate the device to the domain manager. For instance, as shown in FIG. 5B, a subsequent transaction request 552 can be sent from the same device to the same domain. A SIGMA negotiation can again be initiated 555. In response, the domain manager can provide a pairing-specific ID with the S2 response 560. For example, the pairing-specific response can include the same domain identifier from its original S2 response (e.g., 540). The management controller can recognize the domain from the identifier and attribute sessions resulting from the SIGMA negotiations to the domain. In other instances, pairing identifier can include the derived secure ID (e.g., received at 545). In such instances, multi-tenant privacy is provided along with assurances to both the client device and the domain that each party to transactions 580 is authentic. For example, the management controller can perform key derivation operations on the received secure ID (e.g., the “PAIRING_ID” of 560) to derive the original domain identifier (e.g., received at 540). In other instances, the original domain identifier can be included in or appended to the S2 response incorporating the secure identifier as the pairing identifier basename to assist the management controller in verifying that the domain is a legitimate holder of the secure ID (e.g., based on the management controller 505 re-deriving 555 the secure ID from the re-provided domain identifier), among other examples. In either instance, the management controller 505 can confirm the identity of the domain (e.g., on the basis that the domain knows the secure ID). In some cases, the management controller can re-verify its identity by passing the re-derived secure ID back (at 570) to the domain manager 515 through the completion of the SIGMA negotiation, among other examples. The domain manager 515 can identify the secure ID from the SIGMA message 570 and query a database or other structure to see if the secure ID is a known secure ID. In this example, the domain manager 515 can identify that the secure ID corresponds to the device, reauthenticate the device, and re-apply the security policies to the device. Further, the domain manager 515 can apply information collected during previous transactions (e.g., 550) with the device to refine the policies applied 575 to the device in subsequent transactions (e.g., 580) as well as tailor services, products, and user experience offerings based on previously collected information mapped to the device and indexed by the secure ID of the system device. Additionally, session keys for transactions 580 derived from the pairing identifier basename can be utilized to bind the transactions 580 to the pairing of the client device and the domain, among other examples and implementations applying the above principles.

Turning now to the example of FIG. 6A, a simplified flow diagram 600 a is shown illustrating a hardware-based management controller's involvement in the secure communication and management of security posture data and other data describing attributes of the system device. For instance, as in previous examples, a domain manager 620, in response to a system device's attempt to initiate 625 one or more transactions with the domain (e.g., at domain interface 615), can attempt to initiate a secure session with the system device through a request 630 for a secure ID of the system device. A secure communication session can be established 635 and the certificate of the domain can be verified 640 in connection with an authentication of the domain. Using approaches similar to those of either (or a combination of) the examples of FIGS. 4A-4C, as well as other approaches, a secure ID can be derived by the management controller 605 and communicated 645 to the domain manager 620. In the example of FIG. 6A, upon establishing a secure connection with the domain manager 620, the management controller 605 can additionally pass 655 at least a portion of security posture data 650 over the secure channel to the domain manager 620. In some implementations, the portion of the security posture data 650 can be communicated together with the secure ID as a security container structure, allowing the domain to more directly identify and bind the security posture data to the system device profile identified through the secure ID. Such containers can apply principles and examples described in U.S. patent application Ser. No. 13/726,167, entitled “Trusted Container,” filed on Dec. 23, 2012, among other examples.

Security posture data 650 can include a variety of data describing attributes of the system device. In some instances, security posture data 650 can describe persistent attributes of the system device, such as identifiers of the model and manufacturer of the chip set, identification of the system device, system device, type, etc. and other information. Such persistent attributes can, in some examples, be pre-loaded (e.g., at manufacture) onto secure memory of the management controller. Other data may describe more dynamic attributes of the system device. For instance, the management controller can access and query system memory, peripherals of the system device, other processors of the system device, the operating system of the system device, and other system device entities to identify and collect other attributes of the system device. Such collected attributes can also be added to and included in the security posture data. Additionally, the management controller 605 can additionally monitor and identify updates and changes to attributes of the system device and capture these changes in security posture data.

As with root IDs, seeds, and other authentication data maintained in secure memory of the management controller, security posture data describing various attributes of the system device can be isolated from control or influence of the user, operating system, third parties, etc. thereby providing a secure and trustworthy repository, or container, for recording the attributes of the system device that may be useful in sharing with domains with which the system device interacts. Sharing (e.g., at 655) security posture data can permit the domain manager to better identify aspects of the system device, influencing which policies, such as security policies, are applicable to the device and allowing the domain manager to better tailor application 660 of the policies to transactions involving the system device and domain. Such transactions can include not only software-based transactions (e.g., 665) but also hardware-to-hardware transactions, such as transactions between the management controller 605 and a domain manager 620.

Turning to FIG. 6B, an example trusted secure container 670 is shown, in accordance with one example implementation. The secure container can package the secure ID 675 of the system device in the domain together with a set 680 of security posture data to be communicated to the domain manager for use in introducing the system device to the domain manager, for instance, at the beginning of a secure session or when providing an API between the domain and management controller. In one example implementation, the set of security posture data 680 can describe one or more system device attributes such as boot policies of the system device, an OEM public key hash for the system device, among other examples. Indeed, a variety of security posture attributes can be included in security posture data maintained by the management controller and capable of being shared with one or more domain managers. For instance, the operating system type, version, patches, etc. can be identified and maintained in security posture data together with the applications installed on the system device. In some instances, security posture data can also identify the countermeasures and security tools deployed on the system device. An identification of user profiles, use history and statistics, behavioral information, and other information describing users of the system device can also be collected (e.g., from other sensors collecting such data on the system device). Additionally, security profile data can described attributes including geopositional information collected from the device (e.g., from global positioning system components of a system device), present operating state of the device can be identified (e.g., whether the device is on/off, battery/charge level, etc.), the mode of the device (e.g., how the device is being used, collected for instance from accelerometers or other components of the device).

Some of the attributes included in security posture data can be highly device dependent. For instance, a system device, such as an in-dash computer of an automobile can include information describing the functions and state of the automobile as monitored by the computer. Similar state information can be collected by management controllers included in the chipsets of smart appliances. As should be appreciated, the types of attribute data that can be potentially collected and maintained in security posture data can be as varied and diverse as the ever expanding variety of smart devices, personal computing devices, peripherals, and other devices including networking and computer processing capabilities.

The portion and type of security posture data that is shared by a management controller 605 can vary from domain to domain. In some instances, the management controller can identify a minimum amount of information requested by the domain and provide only this minimum set. In addition to an initial set of security posture data (e.g., as encapsulated in a trusted secure container 670), the management controller 605 can utilize the secure session to communicate additional security posture data on an as-needed, or as-requested basis to the domain based on the types of interactions between the domain and the system device. For instance, a transaction involving the system device's consumption of a particular service provided by the domain can call for specific types of information concerning the system device included in security posture data.

Security posture data can provide an up-to-date and trustworthy accounting of attributes of the system device that are relevant to a domain's assessment of the security of the system device. Based on the attributes of the device as communicated in security posture data, a domain can better appreciate the vulnerabilities and security profile of the system device, allowing the domain to more accurately and comprehensively apply security policies and take preventative measures to account for the weakness (or strength) of the system device's security profile. Indeed, while in some instances a secure session between a system device and a domain can result in more permissive policies being applied to the system device, in other instances, upon receiving security posture data from the system device indicating critical vulnerabilities or other troubling attributes, the domain may actually apply more restrictive policies to interactions with the system device based on the security posture data.

FIGS. 7A-7B are simplified flowcharts 700 a-b illustrating example techniques, involving a hardware-based management controller of a computing device attempting to transact with a domain. In the example of FIG. 7A, a system device can attempt 705 to access a particular domain and receive 710 a request from the domain to participate in a secure session with the domain. A domain identifier of the particular domain can be received 715, for instance, in connection with the receipt of a domain certificate from the particular domain. The domain certificate, in some implementations, can be received in connection with the negotiation of a secure communication channel (e.g., in a key exchange) between the particular domain and the system device. Further, a persistent hardware identifier can be identified 720 in secure memory of a management controller of the system device. The hardware identifier can be a secret value accessible only to the management controller and protected from manipulation by the central processor, operating system, and other elements of the system device. In some implementations, the hardware identifier can be based on identifiers permanently embedded in hardware of the device and set during the device's manufacture, such as a fuse key. The management controller can derive 725 a secure identifier from the domain identifier and hardware identifier, such as through a hash of the domain identifier and hardware identifier. The secure identifier can be unique to the pairing of the system device with the particular domain and can be hidden and protected from other elements of the system device. The management controller can then communicate 730 the secure identifier to the particular domain, for instance, over the secure communication channel between the system device and particular domain. The secure identifier can be private to the management controller and particular domain, ensuring, to the particular domain, that the secure identifier is authentic. Further, other data can also be communicated together with the secure identifier to assist the particular domain in identifying and working with the system device. Such data can include security posture data and other data describing attributes of the system device, among other examples.

Turning to the example of FIG. 7B, from the standpoint of the particular domain (e.g., at a domain manager of the particular domain), the system device's attempt to access the domain can be identified 740 prompting a request to be sent 745 to the system device inviting participation in a secure session with the particular domain. A domain identifier can be communicated 750 as well to the system device, for instance, in response to the system device accepting the request to participate in the secure session. The domain identifier can be communicated in a domain certificate sent to the system device in connection with an authentication of the particular domain (or domain manager) at the system device and/or the establishment of a secure communication channel between the system device and the particular domain. A secure identifier can then be received 755 from the system device, for instance, over the secure communication channel, the secure identifier derived from the domain identifier and a persistent hardware identifier maintained in secure memory of the system device. Other data, such as security posture data, can also be received and associated with the secure identifier (and thereby the system device). On the basis of the secure identifier (and other data, such as the security posture data), the particular domain can identify policies relevant or applicable to the system device. Such policies can be applied 760 to transactions involving the system device and the particular domain and can include security policies, ecommerce policies, data access policies, regulatory compliance policies, and among others. In some instances, security posture data or other data describing attributes of the system device can be received in the secure session (or during authentication of the system device) from the management controller and policies applied to the system device can be based on or tailored to account for the described attributes. The attributes communicated by the management controller can be considered to be more trustworthy than attribute data communicated by other, non-hardware-based components of the system device more prone to manipulation, spoofing, etc.

Although this disclosure has been described in terms of certain implementations and generally associated methods, alterations and permutations of these implementations and methods will be apparent to those skilled in the art. For example, the actions described herein can be performed in a different order than as described and still achieve the desirable results. As one example, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve the desired results. Systems and tools illustrated can similarly adopt alternate architectures, components, and modules to achieve similar results and functionality. For instance, in certain implementations, multitasking, parallel processing, and cloud-based solutions may be advantageous.

Embodiments of the subject matter and the operations described in this specification can be implemented in digital electronic circuitry, or in computer software, firmware, or hardware, including the structures disclosed in this specification and their structural equivalents, or in combinations of one or more of them. Embodiments of the subject matter described in this specification can be implemented as one or more computer programs, i.e., one or more modules of computer program instructions, encoded on computer storage medium for execution by, or to control the operation of, one or more processor devices. Alternatively or in addition, the program instructions can be encoded on an artificially generated propagated signal, e.g., a machine-generated electrical, optical, or electromagnetic signal that is generated to encode information for transmission to suitable receiver apparatus for execution by a data processing apparatus. A computer storage medium can be, or be included in, a computer-readable storage device, a computer-readable storage substrate, a random or serial access memory array or device, or a combination of one or more of them or other examples. The computer storage medium can also be, or be included in, one or more separate physical components or media (e.g., multiple CDs, disks, or other storage devices), including a distributed software environment or cloud computing environment.

Networks, including core and access networks, including wireless access networks, can include one or more network elements. Network elements can encompass various types of routers, switches, gateways, bridges, loadbalancers, firewalls, servers, inline service nodes, proxies, processors, modules, or any other suitable device, component, element, or object operable to exchange information in a network environment. A network element may include appropriate processors, memory elements, hardware and/or software to support (or otherwise execute) the activities associated with using a processor for screen management functionalities, as outlined herein. Moreover, the network element may include any suitable components, modules, interfaces, or objects that facilitate the operations thereof. This may be inclusive of appropriate algorithms and communication protocols that allow for the effective exchange of data or information.

While this specification contains many specific implementation details, these should not be construed as limitations on the scope of any inventions or of what may be claimed, but rather as descriptions of features specific to particular embodiments of particular inventions. Certain features that are described in this specification in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a subcombination or variation of a subcombination.

In general, subject matter of the present disclosure includes methods, software, computer executable instructions, and systems capable of performing such tasks as identifying an opportunity for a computing device to participate in a secure session with a particular domain, receiving a domain identifier of the particular domain, and identifying, using a secured microcontroller of the computing device, a secured, persistent hardware identifier of the computing device stored in secured memory of the computing device. A secure identifier can be derived for a pairing of the computing device and the particular domain based on the hardware identifier and domain identifier of the particular domain and the secure identifier can be transmitted over a secured channel to the particular domain.

In one example, a system can be provided that includes a system processor device, system memory accessible to the system processor device, and a management controller. The management controller can include a management microcontroller and secure management controller memory isolated from the system processor and system memory and storing a secured, persistent hardware identifier. The management microcontroller can be adapted to execute instructions to identify an opportunity to participate in a secure session with a particular domain, receive a domain identifier of the particular domain, derive a secure identifier for a pairing of the computing device and the particular domain based on the hardware identifier and domain identifier of the particular domain, and communicate the secure identifier over a secured channel to the particular domain. In some examples, the instructions can stored in the management controller memory. The instructions can be implemented as an applet, in some instances, that is loaded to the management microcontroller at runtime. The management controller memory can further store security posture data and the management controller can be adapted to cause the security posture data to be communicated to the particular domain over the secured channel, among other examples.

In some instances, the secured microcontroller is independent of an operating system of the computing device and values of secure identifiers derived by the secured microcontroller are hidden from the operating system. The secure identifier can be a unique identifier within a system. The hardware ID can be derived based on a permanent fuse key identifier for the computing device. In some implementations, the hardware ID can survive a system wipe. The hardware identifier, in some instances, can be replaced by receiving a request to reset the hardware identifier, resetting the hardware identifier, and deriving a secured, persistent replacement hardware identifier. In one example, a second, different secure identifier for the pairing of the computing device and the particular domain can be derived based on the replacement hardware identifier and the domain identifier of the particular domain. In another example, an opportunity can be identified for the computing device to participate in a secure session with a second domain and a domain identifier of the second domain can be obtained. Further, a secure identifier can be derived that corresponds to the pairing with the second domain based on the hardware identifier and domain identifier of the second domain.

In some instances, security posture data can be sent over the secured channel that describes attributes of the computing device. The computing device can be a mobile device in some examples. Further, secure memory can be embodied in flash memory of the secured microcontroller. The domain identifier can be included in a domain certificate of the particular domain and can, in some cases, be received in connection with a negotiation of a key exchange protocol, such as a SIGMA protocol, used in establishing the secured channel. The particular domain can be authenticated based on a verification of the domain certificate and authentication of the domain can permits derivation of the secure identifier. Authenticating the domain can include authenticating a domain manager communicating with the management microcontroller.

In another general aspect, subject matter of the present disclosure includes methods, software, computer executable instructions, and systems capable of performing such tasks as identifying an opportunity for a secure session between a particular domain and a client device, the secure session based, at least in part, on identity verification of the client device. A domain identifier of the particular domain can be communicated to the client device and a secure identifier can be received from the client device that is a unique identifier for the client device corresponding to a pairing of the client device and the particular domain and derived based on a persistent, private identifier embedded in hardware of the client device. Security policies can be applied to transactions involving the client device and the particular domain based at least in part on the secure identifier.

In some instances, the secure identifier can be associated with a profile in a plurality of profiles in the domain. A received secure identifier can be assessed to determine whether the secure identifier corresponds to an existing profile in the plurality of profiles. Determining that the secure identifier is a new secure identifier can lead to the generation of a profile and association of the secure identifier with the new profile. The domain identifier can be included in a domain certificate used to authenticate the domain at the client device. Further, an encrypted communication channel can be established between the domain and a secured microcontroller of the client device, and the secure identifier can be received over the encrypted communication channel. Additionally, security posture data can be received from the client device over the encrypted communication channel, the security posture data describing attributes of the client device and stored in secured memory of the client device. The security posture data can be associated with the secure identifier and the security policies can be identified based at least in part on the security posture data. Additionally, in some instances, the secure identifier can be derived based on both the private identifier and domain identifier, among other examples and combinations of the foregoing.

Thus, particular embodiments of the subject matter have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. 

What is claimed is:
 1. A device comprising: a microcontroller comprising a management controller; secured memory; and a network interface; wherein the management controller is configured to: identify a domain identifier of a first domain of a plurality of domains, the domain identifier included in a domain certificate received from the first domain; identify a first permanent hardware identifier set as a fuse key value embedded in hardware of the device during fabrication, the first permanent hardware identifier being unique and private to the device; identify a plurality of unique second private hardware identifiers stored in the secured memory, each derived from the first permanent hardware identifier for a corresponding one of a plurality of different services of the first domain; derive a plurality of hardware-based root identifiers from the plurality of unique second private hardware identifiers respectively, wherein resetting and replacing each root identifier by a user disassociates the device from a corresponding user profile maintained by the first domain; store the plurality of root identifiers in the secured memory; derive a plurality of secure identifiers for a pairing of the device and the first domain based on the plurality of root identifiers respectively and the domain identifier, each of the plurality of secure identifiers being different and corresponding to one of the plurality of unique second private hardware identifiers; cause a secure identifier of the plurality of secure identifiers to be sent over a secured channel to a domain computing device associated with the first domain; responsive to a request received from the first domain, identify an initial set of security posture data for the device; cause the initial set of security posture data for the device to be provided to the domain computing device over the secured channel; identify an additional set of security posture data for the device based on a first interaction between the device and the first domain; and cause the additional set of security posture data for the device to be provided to the domain computing device over the secured channel; and wherein the network interface is configured to transmit the secure identifier, the initial set of security posture data, and the additional set of security posture data over the secured channel to the domain computing device.
 2. The device of claim 1, wherein the microcontroller is independent of an operating system of the device and values of the plurality of secure identifiers derived by the microcontroller are hidden from the operating system.
 3. The device of claim 2, wherein the management controller is further to query at least one of the secured memory of the device, the operating system of the device, a peripheral device associated with the device, a second processor of the device, or another entity of the device to collect the additional set of security posture data from the device.
 4. The device of claim 1, wherein the management controller is configured to re-derive the secure identifier when the device is to establish a second secure session with the domain computing device.
 5. The device of claim 1, further comprising a communication manager to enable a secured communication channel between the microcontroller and the plurality of domains.
 6. The device of claim 1, wherein the device comprises one or more of a computer-assisted appliance, an industrial device, a computing system of an automobile, a tablet computer, and a smartphone.
 7. The device of claim 1, where the management controller is configured to participate concurrently in a plurality of secure sessions with at least two of the plurality of domains.
 8. The device of claim 1, wherein the initial set of security posture data comprises data describing persistent attributes of the device, and the additional set of security posture data comprises data describing dynamic attributes of the device that can change based on the first interaction.
 9. The device of claim 1, wherein the management controller is further to present information to a user of the device to determine whether to establish the secured channel between the device and the domain computing device, and the management controller is further to use rules established by the user to determine whether to cause one or both of the initial set of security posture data and the additional set of security posture data to be provided to the domain computing device.
 10. The device of claim 1, wherein the secure identifier enables the domain computing device to authenticate the device at the first domain, the device is to determine whether the first domain is trustworthy before providing the secure identifier to the first domain, the secured channel is to be established if the device is authenticated at the first domain and the device determines that the first domain is trustworthy, the secure identifier enables the domain computing device to re-authenticate the device and determine whether to perform a subsequent second interaction with the device, and the additional set of security posture data for the device is provided to the domain computing device if the first domain needs or requests the additional set of security posture data to enable the subsequent second interaction.
 11. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a device, cause the device to: detect that the device has entered a first domain; receive a domain identifier of the first domain over a network associated with the first domain, the domain identifier included in a domain certificate; identify, using a secured microcontroller of the device, a first permanent hardware identifier set as a fuse key value embedded in hardware of the device during fabrication, the first permanent hardware identifier being unique and private to the device; identify, using the secured microcontroller, a plurality of unique second private hardware identifiers of the device stored in a non-volatile memory of the device, each derived from the first permanent hardware identifier for a corresponding one of a plurality of different services of the first domain; derive, using the secured microcontroller, a plurality of hardware-based root identifiers from the plurality of unique second private hardware identifiers respectively, wherein resetting and replacing each root identifier by a user disassociates the device from a corresponding user profile maintained by the first domain; store the plurality of root identifiers in the non-volatile memory; derive, using the secured microcontroller, a plurality of secure identifiers for a pairing of the device and the first domain based on the plurality of root identifiers respectively and the domain identifier of the first domain, each of the plurality of secure identifiers being different and corresponding to one of the plurality of unique second private hardware identifiers; cause a secure identifier of the plurality of secure identifiers to be sent over a secured channel to a domain computing device associated with the first domain; responsive to a request received from the first domain, identify an initial set of security posture data for the device; cause the initial set of security posture data for the device to be provided to the domain computing device over the secured channel; identify an additional set of security posture data for the device based on a first interaction between the first domain and the device; and cause the additional set of security posture data for the device to be provided to the domain computing device over the secured channel.
 12. The storage medium of claim 11, wherein the secured microcontroller is independent of an operating system of the device and values of the plurality of secure identifiers derived by the secured microcontroller are hidden from the operating system.
 13. The storage medium of claim 11, wherein the instructions, when executed, further cause the device to: enter into a secure session with the domain computing device; and perform one or more transactions within the secure session with the domain computing device.
 14. The storage medium of claim 11, wherein the secured microcontroller is to derive a value of the secure identifier via a hash operation.
 15. The storage medium of claim 11, wherein the secure identifier is a unique identifier to correspond to the pairing of the device and the first domain.
 16. The storage medium of claim 11, wherein the instructions, when executed, further cause the device to: receive a request to reset a given root identifier; reset the given root identifier; derive a replacement root identifier; and store the replacement root identifier in the non-volatile memory.
 17. The storage medium of claim 16, wherein the secure identifier is a first secure identifier, and the instructions, when executed, further cause the device to: enter into a secure session with the first domain following the reset; derive a second secure identifier for the pairing of the device and the first domain based on the replacement root identifier and the domain identifier of the first domain, wherein the second secure identifier is different from the first secure identifier; and communicate the second secure identifier to the domain computing device.
 18. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a device, cause the device to: identify, using a secured microcontroller of the device, a first permanent hardware identifier set as a fuse key value embedded in hardware of the device during fabrication, the first permanent hardware identifier being unique and private to the device; derive, using the secured microcontroller, a plurality of unique second private hardware identifiers of the device, each derived from the first permanent hardware identifier for a corresponding one of a plurality of different services of a first domain; store the plurality of unique second private hardware identifiers in a non-volatile memory of the device; derive, using the secured microcontroller, a plurality of hardware-based root identifiers from the plurality of unique second private hardware identifiers respectively, wherein resetting and replacing each root identifier by a user disassociates the device from a corresponding user profile maintained by the first domain; store the plurality of root identifiers in the non-volatile memory; receive a domain identifier of the first domain in a domain certificate of the first domain; derive, using the secured microcontroller, a plurality of secure identifiers for a pairing of the device and the first domain based on the plurality of root identifiers respectively and the domain identifier of the first domain, each of the plurality of secure identifiers being different and corresponding to one of the plurality of unique second private hardware identifiers; cause, using the secured microcontroller, a secure identifier of the plurality of secure identifiers to be sent over a secured channel to a domain computing device of the first domain; responsive to a request received from the first domain, identify, using the secured microcontroller, an initial set of security posture data for the device; cause, using the secured microcontroller, the initial set of security posture data for the device to be provided to the domain computing device over the secured channel; identify, using the secured microcontroller, an additional set of security posture data for the device based on a first interaction between the first domain and the device; and cause, using the secured microcontroller, the additional set of security posture data for the device to be provided to the domain computing device over the secured channel.
 19. The storage medium of claim 18, wherein the instructions, when executed, further cause the device to, re-derive, using the secured microcontroller, the secure identifier when the device is to establish another secure session with the domain computing device.
 20. The storage medium of claim 18, wherein the instructions, when executed, further cause the device to: receive a request to reset a given root identifier; reset the given root identifier; derive a replacement root identifier; store the replacement root identifier in the non-volatile memory; identify an opportunity for the device to participate in a secure session with the first domain following the reset; derive a second secure identifier for the pairing of the device and the first domain based on the replacement root identifier and the domain identifier of the first domain, wherein the second secure identifier is different from the secure identifier; and communicate the second secure identifier to the domain computing device. 